OpenStack Heat

Signaling fails when using trusts

Bug #1288223 reported by Thomas Herve on 2014-03-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Steven Hardy	OpenStack Heat 2014.1 "icehouse"
	python-keystoneclient	Fix Released	Medium	Thomas Herve	python-keystoneclient 0.7.0

Bug Description

When trying to signal a resource with trusts enabled, I get "Authorization failed: Expecting to find project, domain, or OS-TRUST:trust in scope." Full traceback at http://paste.openstack.org/show/72550/.

I'm using latest master at 9e60b408c178844ac54b0c83a8be1807f3c2854b, with latest devstack using domain user.

I created a heat_stack_owner role, and gave it to my user (admin/admin).

Using password deferred_auth_method works.

See original description

Thomas Herve (therve) on 2014-03-05

description:

updated

Steven Hardy (shardy) on 2014-03-05

Changed in heat:
assignee:	nobody → Steven Hardy (shardy)

Revision history for this message

Steven Hardy (shardy) wrote on 2014-03-05:

This appears to be a keystoneclient regression:

https://github.com/openstack/python-keystoneclient/commit/7f1881211da4c22a718223af80645d5bfb609f3d

Everything works before that patch was merged but not afterwards, investigation in-progress as to why..

Thomas Herve (therve) on 2014-03-05

Changed in python-keystoneclient:
assignee:	nobody → Thomas Herve (therve)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-05: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/78224

Changed in python-keystoneclient:
status:	New → In Progress

Steven Hardy (shardy) on 2014-03-05

Changed in heat:
milestone:	icehouse-rc1 → none
assignee:	Steven Hardy (shardy) → nobody
status:	New → Invalid

Jamie Lennox (jamielennox) on 2014-03-05

Changed in python-keystoneclient:
importance:	Undecided → Medium
milestone:	none → 0.7.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-06: Related fix proposed to python-keystoneclient (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/78489

Revision history for this message

Steven Hardy (shardy) wrote on 2014-03-06:

As discussed in https://review.openstack.org/#/c/78224/1, there is actually a heat bug, we shouldn't pass project_name when creating a KeystoneClient object with a trust, fix in-progress

Changed in heat:
status:	Invalid → Confirmed
assignee:	nobody → Steven Hardy (shardy)
milestone:	none → icehouse-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-06: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/78562

Changed in heat:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-08: Fix merged to heat (master)

Reviewed: https://review.openstack.org/78562
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=3447a222bdac2782c06de958731dbafc3bc1e3c6
Submitter: Jenkins
Branch: master

commit 3447a222bdac2782c06de958731dbafc3bc1e3c6
Author: Steven Hardy <email address hidden>
Date: Thu Mar 6 09:52:39 2014 +0000

heat_keystoneclient don't pass project and trust_id

    When creating a keystoneclient connection with a trust, we should
    not pass the project_name, as the token can only be scoped to either
    a trust or project, not both. Previous versions of keystoneclient
    worked with both, but recent changes mean this no longer works.

Change-Id: I5c7e7498137d428360f2b5f1e8bd2d079c80cd9b
Closes-Bug: #1288223

Changed in heat:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-25: Related fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/78489
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=d4892017f446ea2f9ae061058b79c1854bb91340
Submitter: Jenkins
Branch: master

commit d4892017f446ea2f9ae061058b79c1854bb91340
Author: Jamie Lennox <email address hidden>
Date: Thu Mar 6 10:58:51 2014 +1000

Enforce scope mutual exclusion for trusts

    We already warn if you try to scope a domain and project together. This
    should be extended to trust scoping rather than clobbering the existing
    scope.

Change-Id: I9d8fe001b65588b1c21e58f38a47456fdad85ee1
Related-Bug: #1288223

Dolph Mathews (dolph) on 2014-03-25

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2014-03-26

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-03-31

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in heat:
milestone:	icehouse-rc1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.